Every October since 2004 has been recognized as the National Cybersecurity Awareness Month. This acknowledgement was the combined objective of the Department of Homeland Security and the National Cybersecurity Alliance, a non-profit organization that provides information on how to maintain personal Internet privacy. Their campaign focused on informing Internet users about the prevalence of online cyber threats and how utilizing best practices while browsing online can avoid many of these malicious entities.
October 2017 was no different as many members of the cybersecurity social media community including that of LinkedIn and Krebs on Security examined the current affairs with online privacy, cybersecurity culture in the workplace, and other related topics. Their discussions often stress that users at home as well as in the workplace should follow basic computer security principles like installing system patches, utilizing antivirus software, and other simple actions to facilitate secure Internet usage i.e. cyber hygiene.
As a computer-science student at UC San Diego (UCSD), I sought to analyze whether the current student population exhibited any enthusiasm regarding National Cybersecurity Awareness Month. Hence, at the end of the October 2017, I created an online survey to informally assess how UCSD’s student population regarded the importance of this annual period and maintaining cyber hygiene. These are the following questions in the survey and their respective results:
1. Did you know that October is National Cybersecurity Awareness Month?
2. Did you take any required cybersecurity training prior to your first term as a student?
3. If you answered yes, what part of the cybersecurity training do you remember as the most critical and/or practical?
4. If your college offered unrequired annual training sessions on cyber hygiene and cybersecurity awareness, would you attend?
5. What are some actions that you currently take to maintain cyber hygiene?
6. During 2017, there here have been over 30+ reported data breaches, some originating from large companies including Equifax and Verizon. In light of this, have you taken any measure to increase your cybersecurity awareness?
7. How important are cyber hygiene and awareness to conducting your daily online tasks?
There were over 100 survey respondents from a wide variety of STEM and non-STEM majors. Here are my takeaways from the survey results:
For question 1., almost 80% of respondents were unaware that October was National Cybersecurity Awareness Month. During October 2017, I noticed that the UCSD IT Services attempted to promote National Cybersecurity Awareness Month with fliers on campus and embedded messages within websites that most, if not all, UCSD students use at least once a week including TritonEd, MyTrintonLink, and BLINK. Also, the UCSD IT Services provided online resources with cybersecurity awareness tips for students and other users of the UCSD network. Despite their efforts, I’m disappointed that National Cybersecurity Awareness Month did not have a larger prevalence and prominence among the survey respondents. I believe that the UCSD IT Services can improve this by increasing their social media outreach (Twitter, Facebook, etc.) during October with more tips on online safety and perhaps statistical information regarding the social as well as financial impacts of cyber crime in the form of infographics, or other easily viewable formats.
I was most excited to examine how the survey respondents answered questions 2. and 3. At UCSD, every incoming freshman and transfer student must complete an online cybersecurity training course that is roughly an hour long and only required to be completed once. Only 11% of survey respondents said that they remembered taking this training course! Furthermore, some of these individuals even said that they don’t remember the topics from the training course. This training course may have a limited influence on UCSD students; these results also make me question how college students will acknowledge and adapt to an increasing landscape of sophisticated cyber threats. Many members of the online cybersecurity social media community emphasize that cybersecurity trainings should be completed by employees either annually or bi-annually to bolster organizations’ cybersecurity postures. Hence, if universities and colleges serve to prepare students for professional careers in their respective fields, shouldn’t they also remind students more often regarding the importance of cybersecurity trainings? Unfortunately for question 4., 93% of survey respondents indicated that they would consider or not attend annual training sessions on cybersecurity awareness. I suspect these considerations could be false-positives because all UCSD students have to adjust to new schedules every 3 months during an academic year. Hence, it would not be surprising if many of these students would fail to consider cybersecurity trainings as a critical component of their quarterly schedule, unless strictly required by UCSD.
For question 5., many of the survey respondents demonstrated that they practiced some forms of online safety including utilizing antivirus software, installing software patches, and screening emails for malicious links and attachments. However, utilizing password managers and “strong” passwords with at least 8 characters long with 1 upper case character, 1 lower case character, and 1 symbol were the least chosen options. When passwords and passphrases are effectively used, they easily provide protection against various attack methods of compromising a computer’s security. Yet, this simple protective mechanism is often neglected or poorly implemented e.g. reuse of passwords and creating trivially simple passwords including “password” and “123456”. Furthermore, poor password practices are habitual and can follow users for many years. Hence, it’s crucial that college students at an early age understand the strengths and vulnerabilities to consider when creating passwords. To read more about good password practices, I recommend checking out Haight Bey & Associates’ blog on this topic. The author Adam Austin explains that an effective password is at least 15 characters long and incorporates a passphrase like “checkunderthedoormat”. Essentially, he stresses that implementing strong passwords and associated guidelines can be painless and bolster our computers’ basic security functionalities.
According to the Identity Theft Resource Center (ITRC), there were over 1202 reported data breaches during 2017 from the American financial, private, public, government, and health sectors. This is a new all-time record as the ITRC reported 1093 data breaches in 2016. This motivated me to ask question 6. in which a majority of survey respondents indicated that they have not taken any actions to improve their cybersecurity awareness and cyber hygiene. Hence, what will it take to convince the users that their personal information and online credentials are constantly vulnerable to malicious entities that seek to profit from collecting these forms of data? The number of highly publicized data breaches is growing yearly but it seems that college students and younger generations are becoming normalized to these types of incidents. It is crucial that college students are curious to learn more about how and why data breaches occur. This will facilitate a generation of college students who will be more prepared to uphold the cybersecurity culture and policies of their workplace.
For the last question of the survey, question 7., over 90% of survey respondents indicated that cyber hygiene and cybersecurity awareness was important to some extent while conducting online tasks. This question was meant to address the theme of this survey and blog: how UCSD students viewed the importance of upholding basic cyber and computer security principles during National Cybersecurity Awareness Month. Although a majority of survey respondents responded that these principles were somewhat significant, I had wished to observe a greater number of respondents who held a stronger view towards the significance of cybersecurity awareness.
I understand that these results are reflective of only a small sample of UCSD’s large student body but I strongly believe that UCSD and other universities should continue to promote National Cybersecurity Awareness Month among their respective students. The principles of cyber and computer security are relatable to students of all majors and backgrounds. Every member of an organization is expected to contribute to the front-line defense against cyber threats. If this is so, educational institutions of all types should implement some form of cybersecurity trainings to emphasize the different consequences of cyber threats and thus prepare students for complying with cybersecurity policies. Ultimately it must be stressed to college students and younger generations of the existence of malicious entities that seek to prey on vulnerable Internet users who are careless and do not practice cyber hygiene effectively.